Privacy Policy
Last updated: April 25, 2026
1. Information We Collect
Information You Provide
When you create an account or use AmmoIQ, you may provide us with the following information:
- Account Information: Email address, display name, and password (hashed with bcrypt and never stored in plaintext).
- Google OAuth Profile: If you sign in with Google, we receive your name, email address, and profile picture from Google.
- Profile Fields (all optional): First name, last name, mailing address (street, city, state, ZIP, country).
- Preferences: Preferred measurement units and adjustment units.
- User-Generated Content: Gun profiles (name, caliber, barrel length, twist rate, sight height, notes), DOPE cards (including photo uploads stored on cloud infrastructure), custom ammo loadouts, shooting session logs (including date, location, rounds fired, weather, notes), forum posts and threads, blog comments, favorites and bookmarks, shared loadouts and DOPE cards, push notification subscription preferences, and API key names.
Information Collected Automatically
When you use AmmoIQ, we automatically collect certain information, including:
- Pages visited and features used
- Ballistic calculations performed (input parameters only, not results)
- Login attempts (success or failure, collected for account security purposes)
- Device information (browser type, operating system, screen resolution)
- IP address, access times, and referring URLs
- Cloudflare Turnstile CAPTCHA verification data
- Azure Application Insights telemetry (performance metrics, error tracking, request metadata)
Sensitive Information
We recognize that gun profiles, DOPE cards, ammunition preferences, shooting session locations, and related firearms data may be considered sensitive personal information under certain privacy laws. We treat this data with heightened care, do not share it with third parties for marketing purposes, and do not use it for behavioral profiling or targeted advertising.
Community Activity
We track community activity such as content sharing and upvotes to calculate reputation scores. This data is used to recognize active community members and is not used for automated decision-making that produces legal or similarly significant effects.
2. Lawful Basis for Processing (GDPR Article 6)
We process your personal data on the following legal bases under the General Data Protection Regulation:
- Contract Performance: Processing necessary to operate your account, manage subscription billing, and deliver the features you have requested.
- Legitimate Interests: Security and fraud prevention, service improvement, and aggregate analytics to understand how our platform is used.
- Consent: Analytics cookies via Umami (loaded only with your consent) and marketing communications (only if you have opted in).
- Legal Obligation: Retention of tax records, responses to law enforcement requests, and compliance with court orders.
3. How We Use Information
- Provide the Service: Operate your account, process ballistic calculations, store your profiles and data, and deliver Premium features to subscribers.
- Process Payments: Handle subscription billing and payment processing through Stripe.
- Communicate: Send account-related emails including account confirmations, password resets, and subscription receipts. We do not send marketing communications without your consent.
- Send Push Notifications: Deliver web push notifications with your opt-in consent.
- Improve the Service: Analyze usage patterns, fix bugs, and develop new features.
- Enforce Terms: Detect and prevent abuse, fraud, and violations of our Terms of Service.
- Monitor Service Health: Use Application Insights telemetry to monitor performance and diagnose issues.
4. Cookies, Local Storage, and Tracking Technologies
AmmoIQ uses the following categories of cookies and client-side storage technologies:
- Essential: JWT httpOnly authentication cookie, refresh token cookie, and Cloudflare security cookies. These are strictly necessary for the Service to function.
- Functional: localStorage for UI preferences and IndexedDB for offline PWA functionality.
- Analytics: Umami analytics (loaded only with your consent).
For a complete breakdown of cookies and tracking technologies, see our Cookie Policy.
Do Not Track (DNT)
We honor Do Not Track browser signals. When DNT is enabled, we do not load analytics scripts.
Global Privacy Control (GPC)
We recognize Global Privacy Control (GPC) signals as a valid opt-out mechanism for the sale or sharing of personal information.
5. Third-Party Services and Sub-Processors
We use the following third-party services to operate AmmoIQ. Each service processes data only as necessary for its stated purpose:
We do not sell your personal data to any third party. We do not use third-party tracking cookies for advertising purposes.
6. Data Retention
- Active Accounts: Your data is retained for as long as your account remains active.
- Deleted Accounts:Personal identifiers (email, display name, avatar, Google ID, TOTP secrets) are cleared immediately upon account deletion. User-generated content (forum posts, shared DOPE cards) is retained in anonymized form with the author shown as "Deleted User." Any active Stripe subscription is cancelled at the time of account deletion.
- Webhook Events: Retained for 90 days, then automatically deleted.
- Security Audit Logs: Retained for 365 days, then automatically deleted.
- General Audit Logs: Retained for 90 days, then automatically deleted.
- Payment and Tax Records: Retained as required by applicable tax and financial record-keeping laws.
- Refresh Tokens: Deleted upon account deletion or expiry.
We may retain certain data longer if required by law or to resolve disputes.
7. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom (UK), or another jurisdiction with applicable data protection laws, you have the following rights regarding your personal data:
- Right of Access: You have the right to request a copy of the personal data we hold about you.
- Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data.
- Right to Erasure:You have the right to request deletion of your personal data ("right to be forgotten").
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
- Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain circumstances.
- Right to Object to Processing: You have the right to object to processing of your personal data based on our legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent (such as analytics), you have the right to withdraw that consent at any time.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority.
You can exercise your rights through the Settings page on your account (Export Data, Delete Account) or by contacting us at [email protected]. We will respond to your request within 30 days.
8. Your Rights (CCPA/CPRA — California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to Know: You have the right to know what personal information is collected about you and how it is used.
- Right to Delete: You have the right to request deletion of your personal information.
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: AmmoIQ does not sell your personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.
- Right to Non-Discrimination: You will not be discriminated against for exercising any of your CCPA/CPRA rights.
Authorized Agents: An authorized agent may submit requests on your behalf with written authorization.
Categories of Personal Information Collected (per CCPA): Identifiers, commercial information, internet or other electronic network activity information, geolocation data, and professional or employment-related information.
To exercise your rights, contact us at [email protected].
9. Your Rights (Additional U.S. State Privacy Laws)
Residents of states with consumer privacy laws effective by 2026 -- including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Indiana, Kentucky, Rhode Island, and others -- may have additional rights under their respective state laws.
These rights generally include the ability to:
- Access your personal data
- Correct inaccurate personal data
- Delete your personal data
- Obtain a portable copy of your personal data
- Opt out of targeted advertising
We recognize Global Privacy Control (GPC) signals as a valid universal opt-out mechanism.
To exercise your rights, contact us at [email protected].
10. International Data Transfers
Your data is stored on Microsoft Azure servers in the United States. For users in the European Union, European Economic Area, or United Kingdom, data transfers are covered under Standard Contractual Clauses (SCCs) per the Microsoft Azure Data Processing Agreement.
By using the Service, you acknowledge that your data will be transferred to and processed in the United States, which may have different data protection standards than your home country.
11. Children's Privacy
AmmoIQ is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA). If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has created an account, please contact us at [email protected].
12. Data Security
We implement the following security measures to protect your personal data:
- TLS encryption for all data in transit
- Azure encryption at rest for stored data
- bcrypt password hashing (passwords are never stored in plaintext)
- TOTP two-factor authentication with backup codes
- Account lockout after failed login attempts
- Rate limiting on authentication endpoints
- Cloudflare Turnstile CAPTCHA for bot protection
- Helmet.js security headers (Content Security Policy, HSTS, referrer policy)
- Role-based access control (FREE/PREMIUM/ADMIN)
- Azure Key Vault for secrets management
- Admin support impersonation is audit-logged with a full trail
While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
13. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify affected users within 72 hours or as soon as practicable after becoming aware of the breach, in accordance with applicable state and international notification laws.
Notification will be sent via email and will include:
- The nature of the breach
- The categories of data affected
- Steps taken to address the breach
- Recommended actions for users
We will also notify the relevant supervisory authority where required by law.
14. Push Notifications
AmmoIQ supports Web Push notifications using the VAPID (Voluntary Application Server Identification) protocol. Your subscription endpoint and encryption keys are stored server-side to deliver notifications.
You can enable or disable push notifications at any time from the Settings page on your account. Push notification data is not shared with third parties. Push notifications are strictly opt-in.
We will never send push notifications without your explicit permission.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and via prominent notice on the Service. We will update the "Last updated" date at the top of this page.
We encourage you to review this page periodically.
16. Data Protection Contact
For GDPR-related inquiries or other data protection questions, our designated contact can be reached at [email protected].
AmmoIQ, Idaho, United States